Assurance

["Capehart,Jeffrey D" <>]

I’m wondering now if the sort-of defacto industry standard of having a few pre-registered questions… your favorite color, name of your first pet, favorite relatives name, city where you were born…  is that reasonable care?

 

Statistically, it would be reasonably easy to guess any one of the above items.  I mean, how many colors can a person even think of when answering these questions.  Maybe 6-10 ?   But, as long as the password reset questions are asked TOGETHER and you have to answer all of them correctly at once then it is more secure than just answering one question.

 

If there were a set of about 100 top city names and 300 top names (pets/people), then the distribution could be 10*100*300 or 300,000 possible combinations.  Appropriate limitations on how frequently you can submit and accept a guess might be reasonable due care for self-service password reset.  Of course, the odds are a lot better if you already know one of the items such as a friend, roommate, relative might.  For Bronze, would 3 self-service password reset questions be enough to qualify the risk as still meeting ‘likely’ ?  With Bronze you may not even be sure it was the original named person who registered in the first place anyway.

 

Would the same restrictions on password guessing apply to the password reset questions for self-service password reset?

 

Some people don’t want their personal info given out and then they use a fake birthdate.  But then when they register under an alias, use a fake birthdate, and then forget their password… if they didn’t keep track of that information, there is no way for them to reset their password either self-service or via help desk over the phone.  That is a user problem not an IAM problem.

 

To me it seems the point of why SSN/birthdate/maiden name were used (PII), and why these password reset questions are used is so that a person can have some data that doesn’t change that they can always recall the same way.  But it should be information that isn’t publicly available the way birthdate and mother’s maiden name seem to have become with sites like ancestry and facebook.

 

If someone is willing to give their mobile phone # over for password reset, that works ok until the number changes due to switching contracts or harassing phone calls/texts, and then failing to realize they need to update their # on all these internet sites so they can reset their password if they forget it. 

 

No method is perfect.  There are pros-and-cons to each.  Every person is different in how diligent they are in remembering, recording, and paying attention.  So this is definitely a challenge for IAM.  It is a technology challenge to have an automated solution.  And with 2-factor, it seems to be an attempt to solve the problem with more technology.

 

Jeff

 

From: [mailto:] On Behalf Of Michael W. Brogan
Sent: Friday, January 09, 2015 6:57 PM
To:
Subject: RE: [Assurance] Bronze password reset

 

Section 3.1 of the IAP says:

 

“The InCommon Bronze identity assurance profile focuses on sequential identity, that is,

reasonable assurance that the same person is authenticating each time with a particular

Credential. Assertions under this profile are likely to represent the same Subject each time

a Subject identifier is provided.”

 

With the hypothetical web page password reset scenario described by Eric, I’m not sure how an institution would provide “reasonable assurance that the same person is authenticating each time with a particular Credential.”

 

--Michael

 

From: [] On Behalf Of Eric Goodman
Sent: Friday, January 09, 2015 3:08 PM
To: <>
Subject: Re: [Assurance] Bronze password reset

 

I disagree that alternative means must be used to enable recovery of Bronze accounts.  As long as a campus's means for recovery of Bronze accounts protects PII (4.2.2.6), it meets the stated requirements.

 

 

So I could create a website that takes an account name and let's you reset the password for that account interactively, with no identity proofing whatsoever, and I can still assert the Bronze IAQ for that account. (At least, if I blank out any PII I have from the original account registration). 

 

In the best case, your reading implies that there's a huge, unfortunate editing error in the iap language. If the intent of the IAP was really to have no requirements beyond registration record PII protection, then I'm going to go join Mark in his rathole (see the original thread on participants for the reference there) because there's no longer even an amorphous "reasonable care" requirement in play. 

 

--- Eric